Data Protected - Norway

Contributed by Advokatfirmaet Wiersholm AS

Last updated September 2018

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws

The General Data Protection Regulation (EU) (2016/679)(“GDPR”).

The Act of 15 June 2018 no. 38 relating to the processing of personal data (the “Personal Data Act”) implements the GDPR by reference to its incorporation into the EEA Agreement, together with a limited number of provisions complementing the GDPR.

Entry into force

The GDPR was adopted in the EEA through a Joint Committee Decision on 6 July 2018.

The Personal Data Act, including the GDPR, entered into force in Norway on 20 July 2018 .

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Norwegian Data Protection Authority will continue to act as the supervisory authority in Norway.

The Data Protection Authority
Visitor address: Tollbugata 3, 0152 Oslo, Norway
Postal address: P.O. Box 458 Sentrum, NO-0105 Oslo, Norway 

www.datatilsynet.no

Since Norway is not an EU member state, the Data Protection Authority will not represent Norway on the European Data Protection Board. The Norwegian Data Protection Authority is, however, equally bound by the European Data Protection Board's decisions.

Notification or registration scheme and timing

There is no obligation to notify regulators of any processing under the GDPR. 

The Personal Data Act makes provision for regulations on consultation with and approval from the Data Protection Authority.

Special categories of personal data and personal data relating to criminal convictions and offences may be processed upon permission from the Data Protection Authority if found to be necessary for important public interests, or upon the government's adoption of a regulation found to be necessary in relation to important public interests.

Exemptions to notification

Not applicable.

_____________________________________________________________________Top

Scope of Application

What is the territorial scope of application?

The GDPR applies the processing of personal data in the context of the establishment of a controller or processor in the EU.

It also contains express extra-territorial provisions and will apply to controllers or processors based outside the EU that: (i) offer goods or services to individuals in the EU; or (ii) monitor individuals within the EU. Controllers and processors caught by these provisions will need to appoint a representative in the EU, subject to certain limited exemptions.

The Personal Data Act applies to:

  1. controllers or processors established in Norway whether or not the processing takes place in Norway;
  2. processing of personal data on data subjects located in Norway, and which is performed by a processor or controller not located in the EEA, if the processing relates to: (a) the offering of goods and services to data subjects in Norway, whether or not for payment, and (b) the monitoring of their behaviour, to the extent that such behaviour takes place in Norway;
  3. the processing of personal data by a controller not established in Norway, but in a location subject to Norwegian law according to international law. 

Is there a concept of a controller and processor?

Yes. The GDPR contains the concept of a controller, who determines the purpose and means of processing, and a processor, who just processes personal data on behalf of the controller.

Both controllers and processors are subject to the rules in the GDPR, but the obligations placed on processors are more limited. 

Are both manual and electronic records subject to data protection legislation?

Yes. The GDPR applies to both electronic records and structured hard copy records.

Are there any national derogations?

The GDPR does not apply to law enforcement activities which are instead subject to the Law Enforcement Directive. The GDPR also does not apply to areas of law that are outside the scope of Union law, such as national security, and does not apply to purely personal or household activity.

The Personal Data Act sets out that the GDPR does not apply when personal data is processed by a physical person for strictly personal or family related activities; or processed or determined in accordance with the Norwegian laws relating to the administration of justice. The GDPR also does not apply in relation to the processing of personal data solely for journalistic purposes; in relation to academic, artistic or literary expressions, only the GDPR provisions in relation to the responsibilities of and relationships between the controller (including joint controllers) and processors, codes of conduct and certification will apply (in addition to several national provisions complimenting the GDPR).

_____________________________________________________________________Top

Personal Data

What is personal data?

Personal data is information relating to an identified or identifiable natural person.

This is a broad term and includes a wide range of information. The GDPR expressly states it includes online identifiers such as IP addresses and cookie identifiers.

Is information about legal entities personal data?

No. However, information about sole traders and partnerships is likely to be personal data.

What are the rules for processing personal data?

All processing of personal data must comply with all six general data quality principles. Personal data must be: (a) processed fairly and lawfully; (b) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (c) adequate, relevant and not excessive; (d) accurate and, where necessary, up to date; (e) kept in an identifiable form for no longer than necessary; and (f) kept secure.

The processing of personal data must also satisfy at least one condition for processing personal data. These conditions are that the processing is: (a) carried out with the data subject’s consent; (b) necessary for the performance of a contract with the data subject; (c) necessary for compliance with a legal obligation; (d) necessary in order to protect the vital interests of the data subject; (e) necessary for the public interest or in the exercise of official authority; or (f) necessary for the controller’s or recipient’s legitimate interests, except where overridden by the interests of the data subject.

These rules are almost identical to the core requirements for processing personal data in the Data Protection Directive.

Under the Personal Data Act, the processing of national identity numbers and other unique identifiers (e.g. fingerprints) may only take place when there is an objective need for certain identification and the method is necessary to achieve such identification. The Personal Data Act also contains a provision permitting the government to adopt a regulation on the use of national identity numbers and other unique means of identification.

Pursuant to the Working Environment Act, a company's access to an employee's e-mail account etc. is only permitted if it is either necessary to safeguard the company's business or other legitimate interests, or in the case of justified suspicions that the employee's use of the e-mail account or other electronic equipment constitutes a material breach of the employee's obligations or may provide grounds for notice or dismissal. The Working Environment Act and relevant Regulations provide several requirements in relation to the above, including a duty to notify the employee, and the employee's right to be present during a review.

Pursuant to the Working Environment Act, video surveillance (including the use of fake equipment) must only be performed when necessary to prevent hazardous situations, and to safeguard the safety of the employees and others, or when there is a specific need for such surveillance. The Working Environment Act and relevant Regulations provide several requirements in relation to the above, including a duty to clearly provide information on the relevant surveillance.

Pursuant to the Personal Data Act, the processing of special categories of personal data and data relating to criminal convictions and offences is permitted when the processing is necessary to perform obligations or exercise rights in the field of employment.

Are there any formalities to obtain consent to process personal data?

Obtaining consent will become much harder under the GDPR. 

To be valid, consent must be in clear and plain language and, where sought in writing, separate from other matters. Consent must be based on affirmative action so pre-ticked boxes are not acceptable. Consent might not be valid if: (i) there is any detriment to the data subject for refusing; (ii) there is an imbalance of power; (iii) consent for multiple purposes is bundled together; or (iv) the consent is a condition of entering into a contract. Finally, consent can be withdrawn at any time.

In practice, other processing conditions should be relied on where possible. Consent will only be an appropriate processing condition if the individual has a genuine choice over the matter, for example, whether to be sent marketing materials. 

The Article 29 Working Party has issued Guidelines on Consent (WP259).

Are there any special rules when processing personal data about children?

Consent from a child in relation to online services will only be valid if authorised by a parent. A child is someone under 16 years old, though Member States may reduce this age to 13.

The age of consent in relation to information society services is 13 years pursuant to the Personal Data Act.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data is personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The inclusion of genetic and biometric data is new and an extension to the types of sensitive personal data in the Data Protection Directive.

Pursuant to the Personal Data Act, data relating to criminal convictions and offences is generally processed in accordance with the regulations applicable to the processing of special categories of personal data. 

Are there additional rules for processing sensitive personal data?

Sensitive personal data may only be processed if a condition for processing sensitive personal data is satisfied. A condition arises where the processing: (a) is carried out with the data subject’s explicit consent; (b) is necessary for a legal obligation in the field of employment law; (c) is necessary to protect the vital interests of the data subject or another person where the data subject is unable to give consent; (d) is carried out by a non-profit-seeking body and relates to members of that body or persons who have regular contact; (e) relates to data made public by the data subject; (f) is necessary for legal claims; (g) is for reasons of substantial public interest under EU or Member State law; (h) is necessary for healthcare reasons; (i) is necessary for public health reasons; or (j) is necessary for archiving, scientific or historical research purposes or statistical purposes and is based on EU or Member State law.

Pursuant to the Personal Data Act, the processing of special categories of personal data and data relating to criminal convictions and offences is permitted when the processing is necessary to perform obligations or exercise rights in the field of employment. 

In addition, special categories of personal data and data relating to criminal convictions and offences may be processed without consent for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes provided that the benefits for society clearly exceed the detriment to the data subject. Such processing requires that the controller consults its data protection officer, or similar, or that a data protection impact assessment has been performed.

The Personal Data Act also includes a clause providing that the Data Protection Authority has the authority to allow controllers to be exempt from the prohibition against processing sensitive personal data when the processing is necessary for important public interests, and the Data Protection Authority shall in such cases set out conditions for such processing to safeguard the data subjects' fundamental rights and interests. The Personal Data Act also includes a clause providing that the government may adopt a regulation found to be necessary in relation to important public interests, and that the government shall in such cases set out conditions for such processing to safeguard the data subjects' fundamental rights and interests.

Further, the Personal Data Act sets out that national identity numbers and other unique identifiers may only be processed when there is a just need for secure identification and the method is necessary to achieve such identification.

Are there additional rules for processing information about criminal offences?

It is only possible to process information about criminal convictions or offences if: (a) it is carried out under the control of official authority; or (b) when the processing is authorised by EU or Member State law.

See above. The Personal Data Act sets out that information about criminal offences is to be processed pursuant to the regulations applicable for the processing of special categories of personal data.

Are there any formalities to obtain consent to process sensitive personal data?

Consent to process sensitive personal data must be explicit. The general restrictions on consent, set out above, will also apply. This suggests a degree of formality, such as ticking a box containing the express words “I consent”. It is unlikely explicit consent could be obtained through a course of conduct.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Both controllers and processors must appoint a data protection officer if: (i) they are a public authority; (ii) their core activities consist of regular and systematic monitoring of data subjects on a large scale; or (iii) their core activities consist of processing sensitive personal data on a large scale (including processing information about criminal offences).

Pursuant to the preparatory works of the Personal Data Act, the expression "public authority or body" in Article 37(1) litra a of the GDPR, must refer to the central or local government bodies covered by section 1 of the Norwegian Public Administration Act.

The data protection officer is subject to a duty of confidentiality pursuant to the Personal Data Act.

Data protection officers must be registered with the Data Protection Authority.

The Personal Data Act contains a provision permitting the government to adopt a regulation on the obligation to appoint a data protection officer.

What are the duties of the data protection officer?

The data protection officer must be involved in all data protection issues and cannot be dismissed or penalised for performing their role. The data protection officer must report directly to the highest level of management. 

The Article 29 Working Party has issued Guidelines on Data Protection Officers (WP243).

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The GDPR adds a new general accountability obligation under which you must not only comply with these new rules, but also be able to demonstrate you comply with them. This means ensuring suitable policies are in place supported by audit and training.

Are privacy impact assessments mandatory?

A privacy impact assessment must be conducted where “high risk” processing is carried out. This includes: (a) systematic and extensive profiling that produces legal effects or significantly affects individuals; (b) processing sensitive personal data on a large scale; and (c) systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).

The Article 29 Working Party has subsequently issued Guidelines on Data Protection Impact Assessments (WP 248). It suggests there are nine criteria to consider to determine whether to conduct a privacy impact assessment, and that an assessment should be made if two or more of those criteria are met. This is arguably wider than the criteria set out in the paragraph above. 

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

A controller must provide data subjects with a privacy notice setting out how the individual’s personal data will be processed. The privacy notice must contain the enhanced transparency information.

The Article 29 Working Party has issued Guidelines on Transparency (WP260).

In Norway, there is no obligation to provide this information in Norwegian, but it may be difficult to demonstrate that the information has been provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language if it is not in a language that the data subject is familiar with.

Rights to access information

Data subjects will have a right to access copies of their personal data by making a written request to the controller. The initial request is free, though a charge can be made for subsequent requests. Controllers can refuse the request if it is manifestly unfounded or excessive. The response must be provided within a month, though this can be extended by two months if the request is complex. 

The Personal Data Act provides exemptions from the right of access and information provided that:

i.        the information is of importance to Norway's national security interests or the defence of the country;

ii.       the information must be kept secret for the purpose of the prevention, investigation, detection and prosecution of criminal offenses;

iii.       it is considered inadvisable for the data subject to gain knowledge of the information out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned;

iv.       the information is subject to a statutory obligation of professional secrecy (must if relevant be explained to the data subject);

v.        the information is solely found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons; and

vi.       disclosure of the information would conflict with obvious and fundamental private and public interests.

The Personal Data Act contains a provision permitting the government to adopt a regulation on exemptions and terms for access and information.

Pursuant to the Personal Data Act, the right of access does not apply to the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as this requires a disproportionate effort, or is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effects for the data subject.

Rights to data portability

Data subjects will also have a right to data portability where the condition for processing personal data is consent or the performance of a contract. It entitles individuals to obtain any personal data they have “provided” to the controller in a machine-readable format. Individuals can also ask for the data to be transferred directly from one controller to another. There is no right to charge fees for this service.

The Article 29 Working Party has issued Guidelines on data portability (WP242).

Right to be forgotten

A data subject can ask that their data be deleted in certain circumstances. However, those circumstances are relatively limited, for example where the processing is based on consent, that consent is withdrawn and there are no other grounds for processing. Even where the right does arise, there are range of exemptions, for example where there is a legal obligation to retain the data. 

Objection to direct marketing

A data subject can object to their personal data being processed for direct marketing purposes at any time. This includes the processing of their personal data for profiling purposes.

Other rights

The GDPR contains a range of other rights, including a right to have inaccurate data corrected. There is also a right to object to processing being carried out in the performance of a public task or under the legitimate interests condition.

Finally, there are controls on taking decisions based solely on automated decision making that produce legal effects or similarly significantly affects the data subject. The Article 29 Working Party has issued Guidelines on Automated Decision Making and Profiling (WP251).

Pursuant to the Personal Data Act, exemptions from the right to restrict processing may be made when personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as this is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effect for the data subject. 

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The GDPR contains a general obligation to implement appropriate technical and organisational measures to protect personal data.

In addition, controllers and processors must ensure, where appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of its information technology systems; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 

Specific rules governing processing by third party agents (processors)

A controller must ensure that any processor it instructs will ensure adequate security for personal data and otherwise meet the requirements of the GDPR.

The controller must have written contracts with its processor containing the enhanced processor clauses.

Notice of breach laws

A personal data breach must be notified to the relevant supervisory authority unless it is unlikely to result in a risk to data subjects. The notification must, where feasible, be made within 72 hours. If the personal data breach is a high risk for data subjects, those data subjects must also be notified.

The Article 29 Working Party has issued Guidelines on Personal Data Breach Notification (WP250).

Specific notice of breach laws apply to the electronic communications sector under the Privacy and Electronic Communications Directive

The Personal Data Act stipulates that exemptions may be made from the obligation to notify affected data subjects provided that this would reveal information:

i.        of importance to Norway's national security interests or the defence of the country;

ii.       that must be kept secret for the purpose of the prevention, investigation, detection and prosecution of criminal offences; and

iii.      that is subject to a statutory obligation of professional secrecy (this must if relevant be explained to the data subject).

The Personal Data Act also contains a provision permitting the government to adopt a regulation on breach notification obligations.

Moreover, data controllers in certain sectors may be required to inform sectoral regulators of any breach (for example, financial services firms may be required to inform the Norwegian Financial Supervisory Authority of any breach). 

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The DPA contains a restriction on transborder dataflows. Transfers can take place if it: (i) is to a whitelisted country; (ii) is made pursuant to a set of Model Contracts; (ii) is made pursuant to binding corporate rules; (iv) is made to an importer who has signed up to an approved code or obtained an approved certification; or (v) is otherwise approved by the relevant supervisory authority.

Transfers are also possible if an individual derogation applies. These derogations allow a transfer if it: (i) is made with the data subject’s explicit consent; (ii) is necessary for the performance of a contract with, or in the interests of, the data subject; (iii) is necessary or legally required on important public interest grounds, or for legal claims; (iv) is necessary to protect the vital interests of the data subject; (v) is made from a public register; or (vi) is made under the so-called minor transfer exemption.

The position is broadly the same as under the Data Protection Directive. One notable change is the introduction of the so-called minor transfer exemption, though that exemption will be very hard to rely on in practice.

The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018).

The Personal Data Act sets out that regulations that specify requirements in relation to transfer to third countries may be issued. No such regulations have been issued yet.

Notification and approval of national regulator (including notification of use of Model Contracts)

In general, there is no need for prior approval from a supervisory authority. However, this depends on the justification for the transfer. 

For example, there will be no obligation to get approval for the use of Model Contracts (though it is possible some supervisory authorities may want to be notified of their use). In contrast, it will be necessary to get approval to rely on binding corporate rules, and the supervisory authority must be informed of transfers made using the minor transfers exemption.

Use of binding corporate rules

The GDPR places binding corporate rules on a statutory footing. It will be possible to obtain authorisation from one supervisory authority that will cover transfers from anywhere in the EU.

In Norway, the Data Protection Authority has approved binding corporate rules from Akastor ASA, Aker Solutions ASA, DNV GL, Itera ASA, Kongsberg, Kvaerner ASA, Norsk Hydro and Yara.

_____________________________________________________________________ Top

Enforcement

Fines

The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or €20m, whichever is the greater. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data.

A limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or €10m, whichever is the greater. Failing to notify a personal data breach or failing to put an adequate contract in place with a processor fall into this lower tier.

The Article 29 Working Party has issued Guidelines on administrative fines (WP253).

Pursuant to the Personal Data Act, fines of up to the greater of 2% of annual worldwide turnover or €10m may also be imposed for contravention of the GDPR provisions on the processing of personal data relating to criminal convictions and offences, and for the failure of a controller to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. Such fines may also be imposed on official authorities by the Data Protection Authority.

In accordance with the Personal Data Act, the Data Protection Authority may impose daily fines if its decision is not complied with.

If found liable for damages in accordance with the GDPR, damages for non-economic loss may also be imposed pursuant to the Personal Data Act.

Imprisonment

The penal provision in the previously applicable Personal Data Act has been repealed.

Compensation

Data subjects have a right to compensation in respect of material and non-material damage.

Other powers

Regulators will have a range of other powers and sanctions at their disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. They will also have corrective powers enabling them to issue warnings or reprimands, to enforce an individual’s rights and to issue a temporary or permanent ban on processing. 

Practice

In Norway, there is no current enforcement practice in relation to the GDPR. However, the enforcement of the current law is instructive.

A Supreme Court Ruling of April 2017 set out that the copyright owner of movies was not entitled to obtain the identity behind IP addresses used to download such movies using Bit Torrent networks. The Supreme Court found that the data subjects' privacy interests outweighed the interest of the copyright owner.

A Supreme Court Ruling from 2013 established that an employer's use of GPS data as evidence in a dismissal case was incompatible with the purpose for which the data was originally collected, and thus in breach of personal data regulations.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The Marketing Control Act, dated 9 January 2009, implemented Article 13 of the Privacy and Electronic Communications Directive. The Marketing Control Act came in to force on 1 June 2009. Please note that the Act has introduced provisions which give the Consumer Ombudsman the right to impose fines for infringements of the Marketing Control Act.

The Marketing Control Act, the Ecommerce Act and the Ecommerce Regulation were amended on 1 July 2013 to implement the amendments to the Privacy and Electronic Communications Directive.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

Under the Ecommerce Act, which was introduced 1 July 2013, users need to be informed of the fact that cookies are used, what kinds of cookies are used, the purpose of the cookies, and who is processing the information. Further, users must consent to the use of cookies.

Provided that said information is provided in a clear, specific and easily accessible manner (on the relevant web site), consent is deemed given: (i) by explicit acceptance on the relevant web site, typically by ticking "I accept"; or (ii) by the fact that the user has enabled cookies in the browser settings. The Norwegian legislator has for "practical reasons" not applied the traditional requirements for valid consents (that the consent needs to be explicitly given).

Regulatory guidance on the use of cookies

There is no regulatory guidance on the use of cookies under Norwegian law.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Marketing Control Act prohibits direct marketing to individuals in the course of business using methods of telecommunication which permit individual communication, such as e-mail, text messaging services to mobile telephones, facsimile or automatic calling machines, without the prior consent of the recipient, unless there is an existing customer relationship and the e-mail is collected in connection with such relationship. A valid consent must be obtained by means of opt-in (a positive indication that the consumer would like to receive marketing, typically by actively ticking a box) rather than opt-out (an opportunity to object to receive marketing). Prior to giving its consent, the consumer must be clearly informed of the extent and contents of the marketing, including how often marketing communications will be sent, which products will be marketed and specific information as to who the marketing communications will be sent from or on behalf of.

Conditions for direct marketing by e-mail to corporate subscribers

Direct marketing by e-mail to corporate subscribers is permitted provided that the e-mail is sent: (i) to the corporation as such; or (ii) to a relevant contact person within the corporation and the service or product marketed is relevant to the business.

For other types of direct marketing to corporate e-mail addresses, the same conditions apply as for direct marketing by e-mail to individual subscribers.

Exemptions and other issues

Direct marketing using telecommunication such as e-mail is permitted if the similar products and services exemption applies. Individual-to-individual e-mail routines set up by companies on the company’s website (tip-a-friend) are permitted in most circumstances. An easy means of opt out shall be provided in each individual communication, regardless of the legal grounds on which the direct marketing is based. The sender must also include the eCommerce information.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

Direct marketing orally by telephone to individuals does not require prior consent.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

Marketing by telephone to corporate subscribers does not require prior consent.

Exemptions and other issues

Section 12 of the Marketing Control Act prohibits direct marketing to individuals by telephone or addressed mail if the individual has chosen to register in the central marketing exclusion register or in the marketer’s register of addresses. However, the similar products and services exemption applies. Direct marketing by text messaging services is prohibited without the prior consent of the recipient (see above under “Marketing by E-mail”).

_____________________________________________________________________ Top